New SophosLabs research: Exploring the popularity and applications of document exploit builder Ancalog

sophoslabsDocument exploitation is a well-known method of distributing malware in the malware community. A common theory for why crooks use booby-trapped documents is that victims can be more easily convinced to open document attachments than executables.

Word, Excel and PDF documents that contain so-called exploits – active booby-traps – have the added trick of not requiring their victims to manually enable macros, as is often the case for VBA downloaders.

The latest technical paper from SophosLabs explores why we’re seeing more document exploitation malware in the wild, and investigates the long-standing popularity of a document exploitation generator called Ancalog, which is widely commercially available.

Continue reading

New SophosLabs research: Cryptomining malware on NAS servers worldwide

sophoslabs-150SophosLabs has just released a research paper on a new way that cybercriminals are distributing malware that makes money by “borrowing” your computer to mine cryptocurrency.

The report by Attila Marosi, Senior Threat Researcher at Sophos, investigates the Mal/Miner-C malware, which criminals are using to mine the cryptocurrency Monero.

In this paper, Marosi examines how Mal/Miner-C quietly infects victims’ computers and communicates with host servers to run mining operations covertly in the background.

Continue reading

Cybercriminals shift their tactics for Microsoft Office document exploitation – SophosLabs research

This latest technical paper from our team in SophosLabs examines the newest techniques being used by cybercriminals to conduct Microsoft Office document exploits.

For four years, the preferred vulnerability for a document exploit attack was CVE-2012-0158, but as this vulnerability has aged out – due to users and administrators updating and patching their systems to remediate it – criminals have had to target new vulnerabilities to keep up their attacks.

SophosLabs has found that criminals using several popular exploit kits, including Microsoft Word Intruder, are now predominantly targeting CVE-2015-1641 and CVE-2015-2545.

Continue reading

“The Word bug that just won’t die”: CVE-2012-0158, the cybercrime gift that keeps on taking…

vawtrak-bankArguably one of the most exploited Microsoft Office vulnerabilities of the last decade, CVE-2012-0158’s longevity is one of constant adaptation. Ever since its disclosure in 2012, this vulnerability has been the attack vector of choice for exploitation by attackers who seek to hijack Microsoft Word or Excel and force these programs to execute malicious code.

In fact, according to SophosLabs research, as late as Q4 2015, CVE-2012-0158 was still used by 48% of exploits specifically targeting Office documents.

In this new research paper, Graham Chantry of SophosLabs provides a deep dive into several exploits found in the wild and how they work using CVE-2012-0158.

Continue reading

SophosLabs: Vawtrak banking malware updated with new targets and innovations

vawtrak-bankA new version of a deceptive banking malware has been responsible for a series of attacks on financial institutions in many countries around the world in the past year, SophosLabs reports in a new research paper.

Vawtrak (also known as NeverQuest and Snifula) has been around for a few years now, yet it continues to thrive as a popular crimeware-as-a-service kit used by a variety of cybercriminal groups.

SophosLabs analysis of what we are simply calling Vawtrak version 2 shows the malware authors have introduced new innovations, while making frequent updates to meet demand and stay ahead of defenses.

Continue reading

Why malware authors keep using the same old Microsoft Office exploits

Office exploitsSophosLabs Principal Malware Researcher Gabor Szappanos has closely studied Microsoft Office exploits for the past few years. We’ve previously covered his investigation of the Microsoft Word Intruder exploit creation kit, and his recent paper exploring the most popular Office exploit kits.

In a new research report, Gabor takes a closer look at the top four Office exploit kits used in the last quarter of 2015. He also reports which exploits were most commonly used in malicious documents, and shows us what families of malware were distributed by the studied samples.

As Gabor explains, malware authors are increasingly attracted to document exploits as the initial entry point for their attacks. The attackers spread their booby-trapped Office documents through phishing emails spammed out to large numbers of random recipients (cybercrime groups), or to a more select list of targets (APT groups).

Notably, the majority of Office exploits malware authors have been using in malicious documents are now several years old. The most popular exploit, CVE-2012-0158, has been around for well over three years now.

Continue reading

Location-based threats: How cybercriminals target you based on where you live

Geo-malwareMuch like legitimate businesses, cybercriminal enterprises have to be dynamic – standing still means falling behind. A significant example of how cybercriminals are evolving is the growing trend of location-based targeting, through what we call “geo-malware” and regionalized email attacks.

Traditionally, we think of online threats in terms of highly targeted attacks on the one hand and opportunistic cash grabs on the other hand. Nation-state sponsored or advanced persistent threat (APT) attackers target specific individuals or organizations, and the more common, financially motivated digital thieves take an “infect them all” approach.

Our SophosLabs research shows that way of thinking is becoming outdated, as APT attackers and common cybercrooks learn and borrow techniques from one another.

Common online crooks have learned how to become more efficient and increase their yield per victim by targeting individuals based on their specific country, using a variety of methods. Here I will go into a few of them: geo IP lookups; traffic direction services; and email targeting. I will also explain how and why cybercrooks avoid certain countries.

Continue reading